Slashdot Mirror
TSA Now Investigating Boarding Pass Hacker
An anonymous reader writes "A week after the Justice Department cleared him of any wrongdoing, Chris Soghoian, the Indiana University PhD student who created an online boarding pass generator for Northwest Airlines to highlight security holes is on the government's 'no-fly' list. The Transportation Security Administration has now launched its own investigation, says Wired blog 27strokeB. The TSA is claiming that Soghoian 'attempted to circumvent an established civil aviation security program established in the Transportation Security Regulations,' violations of which carry fines of up to $11,000 per violation. That could be a steep fine, says Washingtonpost.com's Security Fix blog: 'Something like 35,000 people viewed and possibly used the boarding pass generator during the less than 72 hours that it was live on his site in November. Soghoian told WaPo: "If they decide that the only safe way for me to leave the country is by boat, then that's pretty much the end of my career here in the States. It's one thing to harass researchers, but if they can chase them out of the country, then that's a real chilling effect."'"
Enjoy your stay.
Technology -- No Place For Wimps! Grateful Dead and Jerry Garcia Chatroom -- http://www.wemissjerry.org
This whole airline TSA thing is a crock of BS. Over Kill.
... expected.
So, a bunch of terrorists captured a couple of airplanes and flew them into buildings. Yeah, a bunch of people died, which is tragic. And the Economy Burped, which is
However, we've learned our lesson, and have secured the airplanes better. In addition, I doubt, HIGHLY DOUBT, that they could get anywhere close to doing the same thing, given the same circumstances, mainly because the passengers wouldn't stand for it.
Screening 80 year old grandmas of their knitting needles is stupid. Taking off shoes is stupid. Banning Liquids is stupid. For all the inconvenience of it all, it will not prevent someone from trying to by-pass whatever security is setup, and eventually they will succeed.
I know for a fact that I could bring a knife on board a plane even today, even passing through all the security. They can't stop me if they can't see it. And there are such knives available.
The point is, all this "security" isn't really designed to prevent hi-jackers, it is designed to placate the masses. See my sig for more info
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
This may fall under double jeopardy
This is something I was thinking. It is one thing proving there is an exploitation, it is another making it available to just anyone. The least he could have done is print void over the valid document he created. When you live in a society you need to exert a certain sense of responsibility. It should also be noted nothing is free from flaws and no security will ever be perfect.
Jumpstart the tartan drive.
No, I strongly disagree. The DOJ has already decided he is not a criminal, or at least decided not to procescute. TSA seems to be getting their panties in a wad because he pointed out that the system is flawed, and did it in such a way as to force them to fix it. However, he didn't defraud anyone. He didn't use the tool to fly or to even bypass security. Seems to me, that after 4 years of TSA "Security" (more actually, but lets count from 9/11) stupid holes like that one should have been fixed.
A positive attitude may not solve all your problems, but it will annoy enough people to make it worth the effort.
I'll probably be on the no-fly list soon for this, but it's worth pointing out that what Chris did to NWA's boaring passes could be duplicated by just about anyone without special software. While I don't agree with how he exposed the issue (he should have used a fake airline/pass to show the risk), it is worth exposing some very very bad software design. The real criminals here are the coders who developed the boaring pass system for NWA.
The NWA online boarding pass generator uses HTML to render the boarding passes. There's no image processing or anything special involved in changing values on these. Just save it to your desktop, open it in your favorite text editor, and change the text. Bingo. You're flying first class.
Or silence them.
Not to mention, this easily generates more of an underground. (I'm one who believes that the harder it is to get a tech job, the more black hatters form.) Before, researchers would publish their data to earn their keep or notoriety; remove that incentive, that white hat economy, however small, and it potentially generates a black hatter economy. And like many economies, usually it's the start that snowballs into something larger.
Worse, and more directly, there are people that *do not* fly because of this. Myself, since 9/11, I've had the time and money to travel the US. I haven't; no freakin way I'm going to go to an airport and get harrassed, and not knowing this damn security hole isn't fixed. Like XP, you see one hole that doesn't get fixed for months, you start to wonder what else is lurking. I'm one person, but that's tens of thousands not spent on air travel alone (and those tens of thousands meanwhile have generated more foreign wealth because of the hamstrings the US government and businesses have put on "innovation" in the US).
I've become more of a cynic over the years; I just keep my damn mouth shut when a security hole or bug is found. The system, imo, is stacked against you. Come up with a discovery, someone else patents it. Publish it, get harassed, threatened, or jailed. Now that government is going to hammer on you, why take the risk; not only is there no reward, there is punishment.
Meanwhile, the security hole *remains in effect.* If they'd put a sliver of the energy they put into harrassing, investigating, and highlighting this guy, they could have closed the hole completely.
Hmm, you might actually be correct about that, although I will point out that doing so outside of the US is illegal regardless of intent. I think this is probably a more the more appropriate law for your example. So (standard disclaimer applies, ie. IANAL) as long as you make no attempt to actual pass these off as geniune (regardless of whether you receive any compensation) it appears to be legal. In the gentleman's case, I would probably argue that indeed he was passing them off as geniune, although probably without full regard to the consequences. A nice watermark on them still would have been a good idea.
Regardless, you are correct about the counterfeiting being legal.
Indeed. But keep in mind it's done with the complicity of the airlines. There's no law on the books that says a passenger on some list can't fly on an airplane, because that would be discriminatory, right? But an airline has the right to refuse service to anyone for any reason, and that's how they get around it. Hey, if you wanted to, you could always charter a jet and they can't stop you, assuming you have assloads of cash. So EACH AND EVERY AIRLINE delegates the responsibility of refusing service off to the TSA, ho hum, everything is legal. It also makes sure that the "oh shit, we screened the wrong person" stuff gets foisted off onto the TSA instead of the individual airlines. Yes, of course it's bullshit. Conspiracy? You tell me.
This holds up against legal recourse because they refund your money or otherwise compensate you for your inconvenience (usually by giving you a ticket to a later flight, oh joy), thus keeping you from suing them for not providing a service paid for. Ideally you should be able to sue because they delayed your flight, you lost money because you missed a crucial business meeting from being delayed at security, etc. But for that reason, the airlines don't have a clause in their contract that says they HAVE to get you there on time. In fact if you actually read the contract you'll see that it leaves you with little recourse in the event of anything happening. Every plane in the fleet could be grounded because of incompetence and you have no way to sue them for breach of contract. None.
Anyone who makes the government / any powerful organization look bad without at least pausing to think about the repercussions is foolish. Hiring a lawyer might be a good idea. Contacting the TSA and giving them six months notice is also a good idea. Contacting two or three major newspapers and letting them know about it is also a good idea.
But for once, I think Chris Soghoian is brace to use his real name and not hide. If he is really willing to face imprisonment and fines to make the TSA more accountable, the USA safer, and the draconian new "security" measures less credible, he's brave and patriotic in my book.
Just my two cents.